Re: Problem in start TLS in LDAP

Mohana wrote:
"But If the client is on some other machine, then without the TLS_CACERT
directive in that machine's ldap.conf file, the tls connection is
succeding. Isn't this not correct?"
Hmmm, double negative ... the answer is yes. This is correct. TLS does
not require a CA cert on the client. See
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#5.4 and the
first column shows no CA cert directive in ldap.conf for a basic TLS
configuration. This works because only the server certificate is needed to
setup TLS.
Cheers,
Kent
"You don't stop playing because you grow old ...
you grow old because you stop playing."
Linux Technology Center, Linux Security
tie line: 678-9216
external: 1-512-838-9216
e-mail: dksoper@us.ibm.com
Mohana Sundaram
<msivakum@npd.hcl To: Kent Soper/Austin/IBM@IBMUS, openldap-software@OpenLDAP.org
tech.com> cc:
Subject: Problem in start TLS in LDAP
09/23/2003 06:34
AM
Hi all,
I have followed the steps in the following document.
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html
Step 6 in this document is
6. Make the CA certificate available to your LDAP clients.
If the client is on the same machine, copy cacert.pem to a location
accessible by the client. If clients are on other machines, then cacert.pem
will have to be copied to those machines and also made accessible. quoted
below:
If the client is on the same machine with the following ldap.conf file,
TLS_CACERT /usr/local/var/openldap-data/cacert.pem
TLS_REQCERT demand
it is working fine. If I comment out TLS_CACERT directive, the tls
connection request is failing.
But If the client is on some other machine, then without the TLS_CACERT
directive in that machine's ldap.conf file, the tls connection is
succeding. Isn't this not correct? Can someone explain this behaviour?
Thanks,
- Mohan.
--
Mohana Sundaram K.S.
HCL Technologies
www.hcltechnologies.com/voip